Renewal of certificate failing

M4CC4 · January 6, 2022, 9:57pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:mote.mcgoverns.co.uk

I ran this command: sudo certbot --apache -v

It produced this output:
Renewing an existing certificate for mote.mcgoverns.co.uk

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: mote.mcgoverns.co.uk
Type: unauthorized
Detail: Invalid response from http://mote.mcgoverns.co.uk/.well-known/acme-challenge/-73hOFmlE5yFkFbfDdJNWX6IqijbZtDW_H1YTknfHH8 [217.41.24.7]: "\n\n404 Not Found\n\n

Not Found

\n<p"

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

rg305 · January 6, 2022, 10:32pm

Hi @M4CC4 and welcome to the LE community forum

It seems that certbot is unable to locate the proper document root for your domain.
A likely cause of Apache being all too eager to run at all cost.

Let's see if we can unravel this mess.
Starting with the output of:
apachectl -t -D DUMP_VHOSTS

Also, since you mention "Renewal" in the post title...
Please show the output of:
certbot certificates

rg305 · January 7, 2022, 1:46am

Have you tried?:
certbot renew

Please show this file:

rg305 · January 7, 2022, 3:34am

This is ignored: [as yet unexplained]

~~[as the vhost config lacks a "server_name" definition]~~

And ~~thus~~ certbot fails to find a vhost that covers that name.
You can either:

~~fix the problem by assigning a the proper server_name(s) within the vhost.~~
ignore the problem and use --webroot -w /var/www/html [instead of --apache]

MikeMcQ · January 7, 2022, 3:50am

There was that on the last line of the version of their post I see now.

But, good point about the rewrite. Shouldn't it be HTTP_HOST? Isn't there a bug with Apache not resolving SERVER_NAME right?

Or, don't use condition at all and always redirect to the intended VHost. Of course, I am assuming only ever this one domain name in this Apache.

rg305 · January 7, 2022, 4:03am

I can't explain why it fails to redirect:

curl -Ii mote.mcgoverns.co.uk
HTTP/1.1 200 OK
Date: Fri, 07 Jan 2022 04:02:12 GMT
Server: Apache
Last-Modified: Thu, 06 Jan 2022 21:17:36 GMT
Accept-Ranges: bytes
Content-Length: 4748
Vary: Accept-Encoding
Content-Type: text/html

Yeah, that's a much simpler fix.

rg305 · January 7, 2022, 4:04am

Also interested in seeing what's in:
/etc/letsencrypt/renewal/mote.mcgoverns.co.uk.conf

MikeMcQ · January 7, 2022, 4:14am

I am just guessing now but maybe because the VHost is an IP based form (not named-based), the SERVER_NAME value is not what we think?

Even though the VHost has the name it is just a symbolic for the IP in this case. That's why we saw this earlier:

sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
217.41.24.7:80 mote.mcgoverns.co.uk (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 mote.mcgoverns.co.uk (/etc/apache2/sites-enabled/000-default-le-ssl.conf:3)

Note the IP address preceding :80

I repeat, I am just guessing - it is odd for sure.

To test idea, my first step would be remove condition to ensure any redirect works. Then add it back as condition with HTTP_HOST and see if that worked. Try SERVER_NAME after that and see when it breaks.

Also, could try just setting the VHost as *:80 - that might fix it up right away

M4CC4 · January 7, 2022, 12:30pm

Hi Everyone,
sudo certbot certonly --webroot -w /var/www/html
WORKED... I now have a valid certificate thru to April 7th... final questions to you gurus

I have put a diary entry in now so that I do not forget when the cert expires, therefore before the 7th do I just use the command
sudo certbot renew
To get my next validity period? Any way I can extend the period to greater than 3 months validity?

Osiris · January 7, 2022, 12:55pm

No.

Just put the certbot renew in a root cronjob.

system · February 6, 2022, 12:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Renew Certificate Failed Help	7	301	May 17, 2024
All renewal attempts failed Help	7	1639	June 1, 2021
Certificates fail to renew (used to work fine) Help	4	92	December 22, 2024
Certificate renewal fails Help	10	624	July 13, 2024
Certbot renewals have suddenly started failing Help	45	1367	September 30, 2021

Renewal of certificate failing

Not Found

Related topics